Even mac address can be captured by a java applet. Self signed java applet can do the trick. It can raised to User's security level , and can run system commands if he is Administrator level or root.
On Thu, Nov 25, 2010 at 11:05 PM, mdipierro <mdipie...@cs.depaul.edu> wrote: > web2py cannot access the MAC address of the requester. The web server > does not provide the information. The web server may not have the > information itself, depending on the OS. capturing the ethernet header > requires more privileges that the web server has. > > On Nov 25, 10:21 am, Richard Vézina <ml.richard.vez...@gmail.com> > wrote: > > What about the MAC address? > > > > In intranet a user can bump a other user IP easily > > > > Consider this under windows : > http://www.wikihow.com/Change-your-IP-Address-%28Windows%29 > > > > Not sure you can pick particular IP. > > > > With a VM under Linux you can pick the IP you want... It will conflict on > > the network but it will works at least to hack web2py if you stole the > > cookies... > > > > Richard > > > > On Thu, Nov 25, 2010 at 11:05 AM, mdipierro <mdipie...@cs.depaul.edu> > wrote: > > > Consider this scenario... > > > > > You use http to login and somebody intercept the communication, steals > > > the cookie and logins using your credentials. > > > > > This is no more possible. Now web2py check that the IP of the client > > > is the same as the IP of the client that started the session. If the > > > cookie is stolen and/or used from a different IP, web2py refuses to > > > open the corresponding session. > > > > > I do not see any counter-indication. Comments? > > > > > Massimo > > > > >
